Back

Include third party services in the audit assertion's in scope system description.


CONTROL ID
16503
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits; (Art. 30.3. ¶ 1(e)(iv), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • the nature of the services performed by the subservice organization; (¶ 2.14 Bullet 1 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the nature of the services provided by the subservice organization; (¶ 2.14 Bullet 2 ¶ 1 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition, it may be useful for the service organization to disclose its interactions with vendors related to the services provided by them. When such disclosures are made, it may be helpful if service organization management distinguishes between the services provided by subservice organizations … (¶ 3.62, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature of the service provided by the subservice organization (¶ 3.64 ¶ 1 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature of the service provided by the subservice organization (¶ 3.60 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As part of its monitoring activities, service organization management may obtain a copy of a type 1 or type 2 report from the subservice organization if one is available. If the subservice organization's type 1 or type 2 report identifies the need for CUECs at the service organization, the descripti… (¶ 3.104, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When using the carve-out method, description criterion DC7 requires service organization management to include in the description certain disclosures about the use of a subservice organization, including the services provided by the subservice organization and the types of CSOCs it is expected to pe… (¶ 4.42, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)